[HLUG] Content filtering server, email server, domain controller

[Julian Robbins]

Paul Stenning wrote:
> Hi all,
>
> I am looking into what is needed for a new server requirement at work 
> later this year.  If possible I would like to do as much as possible 
> with Linux and open source, and just use virtualised Windows for the 
> areas where Linux can't be used.  Some of the requirements are:
>
> Domain controller:  The clients are all Windows (will be XP Pro or Vista 
> Business) and we want to have a proper login system whereby people can 
> use their username and password on any PC and get their own desktop, 
> files and settings etc.  This is the sort of thing that Windows domains 
> do well.  Can it be done in Linux or would we need a Windows server for 
> the domain controller?
>   
Hi Paul

We have a  similar system at work that we've had a for a few years now,
ie Linux servers, mostly windows and some linux desktops.

You can have roaming profiles in Samba, but we found it was a bit prone
to problems. Windows profiles can get a bit big, which is the problem,
and thus more likely to suffer corruption, so good user training, ie not
putting large files on their desktops, all helps. One of the Welsh UNI's
uses Samba with 12000 students - its tried and trusted. The only niggle
we have had is support for new Windows OS's very early in their release
, but if anything this should be less of a problem now that MS have been
ordered to release details of the CIFS code to the Samba project. the
only other issue, is that we found that in windows you can use an odd
char, like a long dash char that Ubuntu clients cant read of the server.

You can set Samba to be the PDC - it really works well. Its all in
smb.conf if you want to look it up.

A word of warning - get your permissions of your samba shares setup
properly. It takes longer, but if you get staff leaving, and you remove
them as a user, you can get problems, resetting ownerships on the files
they have created, unless you setup group permissions to your shares
rather than shares set with just user privs. Also, dont mix up samba
privs and filesystem privs. File system privileges always override samba
ones, but if you use a mixture of the too, you'll get in a real mess !

> Email:  Currently the clients use Thunderbird to access email directly 
> from the web server using IMAP and send using SMTP.  We would like to 
> have our own email server which fetches email from the web server 
> (probably using POP3) every few minutes and which the users connect to 
> using Thunderbird and IMAP as now.  We would like to be able to retain 
> messages that the users delete for a period of time and to be able to 
> back up all email reliably.  We really do not want to head down the 
> Exchange/Outlook route.  What are our options with Linux?  Ease of 
> configuration would help of course!
>   

This is exactly what we have use.  fetchmail running  doing a POP, then
delivering the mail so that IMAP clients  can pick it up. Thunderbird
works well with a IMAP server- we started with Thunderbird 0.8, and
Washigton Uni IMAP server, now use Cyrus.
Other options are Dovecot. It may be better not to use fetchmail. It
works well enough but these days instantaneous emails being delivered is
expected a bit more . That said, this would require putting your mail
server in a Firewall DMZ and security hardening it. Which if you're
trying to do all of this with one box isnt easily possible.

The main differences are whether you want to use mbox, or maildir
formats, ie whether  every email is stored as a file, or whether a
folder in your email client is stored as a single file. Each has its
pros and cons.

Mail servers are still IMHO the most complicated to setup once you have
added, Antispam, and/or antivirus. Adding either or both increases the
complexity. Its a well trodden path though, and there are lots of good
Howto guides out there. Spamassasin and Clam work excellently, but do
need some setting up.

If you have your antispam / AV done upstream its much easier, but
riskier. Consider also some of the whole systems built to do this, some
commercial / some open source. I tried out http://www.mailscanner.info/
a long while back which is great and its still going strong, very
professional, and takes some of the grind out of configuration. But
still, you need to get into configuring it in some depth to get the best
out of it.

mail backups are easy enough, mails are all files anyway in Linux .... ;-)

> Web content filtering:  We want to limit the websites users can access. 
>   Some sites (adult, illegal content etc) would always be blocked, most 
> others would be allowed for a certain amount of time each day (say one 
> hour to allow people to use Facebook, BBC News, Amazon etc during lunch) 
> and a selected few would be accessible all the time (the ones needed for 
> work).  We would need to be able to override the 1 hour restriction on 
> an ad-hoc basis easily if someone needs more access on a particular day.
>   
We use IPCop with various addons. It works ok, but there are odd
annoyances sometimes. Dan's guardian may be worth looking at , or
Smoothwall/Astaro if you want to pay money.

> File sharing:  That's easy enough - Samba.  It needs to link into the 
> domain controller stuff though so it follows password changes.
>
> Intranet and development web server:  Easy, Apache with PHP and MySQL.
>   
yepp. you have to setup samba users as well as linux users, but its all
easy enough once you've worked it out.
> Managing the whole thing:  Probably Webmin.  Remote access to this would 
> be very useful but that will probably be handled by VPN routers.
>   
webmin is ok, and is the way we went to start with. But there is the
possibility for some of the third party modules that they overwrite your
own custom tweaks if not tested thoroughly. This was a few years ago
though so it may have improved though ... Best to learn it yourself if
possible - unless you've got other staff to train who dont want Linux
> Eset anti-virus management:  That will have to be done with Windows in 
> vmware (or virtualbox if I can get it to work).
>   
Will have to be windows, but it may possibly work in WINE. WINE works
pretty well with a lot of software nowaways.
> Backup:  On my home server I am using Simple Backup to backup to a 
> removable USB drive every day.  It works reasonably well except it has 
> no way of notifying if the backup disk is full.  Backing up to tape 
> would be useful but there seems to be a shortage of easy-to-configure 
> tape backup applications.  It obviously needs to back up the email, 
> documents and all user desktop settings etc.
>   
tar is the star. There are a lot of tap backup still out there. many sys
admins still like scripts with tar / SSH etc. I would consider using
backing up to disk instead though these days with the abundance of disk
based cheap disks around. Rsync works really well, extremely useful, and
there are loads of utilities based around it. BackupPC is what I would
recommend.

> If I can do most of this with Linux I will probably go for Ubuntu Server 
> 8.04 LTS as that's what I'm familiar with.  CentOS is another possibility.
>   
Ubuntu server is fine. There's not a great deal of difference really.
Package Mgt is still better in Debian based systems though. Dont forget
the Ubuntu server stuff isnt GUI based though. But there are some tools
to help.
> So how much of this can be done with Linux, what packages are suggested 
> and how easy is it to configure?  Most is possible with Windows Small 
> Business Server (which uses the dreaded Exchange Server) with a separate 
> content filtering application, and I have done most of that with Windows 
> SBS for another client.  I'd like to do it with Linux this time though.
>   
All of this can be done in Linux !! and work extremely well too !! But
it can be intimidating and need some initial help. The great thing with
using Linux here is the transparency and openness - backing up is easy
with open formats - it gives you so many options and flexibility. You
can do much more with your network too, with SSH and rsync utilities.
even backing up over the net !

Linux may be free, but there is a learning curve, it does/can cost money
too and time. But you do get a system YOU control, with high levels of
reliability and flexibility.

Please email me offlist if you would like to come and see our linux
server setup at work.

Julian